Geek Answers Handbook

CORS in grails - Do all requests fail?

I am trying to configure CORS support in grails and I am using the following filter:

class CorsFilters {
    def filters = {
        all(controller:'*', action:'*') {
            before = {
                response.setHeader("Access-Control-Allow-Origin", "*")
            }
        }
    }
}

From testing, it seems that the response header is correctly configured for all requests, but when I make a request from the outside against the local host or any server accessible to me, I get the following error:

XMLHttpRequest cannot load http://server:8080. Origin http://jsbin.com is not allowed by Access-Control-Allow-Origin.

This live example works on my Chrome instance, so I don’t know what could happen here. In unsuccessful requests, I try to push tomcat directly.

What can happen to prevent this from happening?

+5
source share
3 answers

It seems that the default Grails filters run the filter chain too long.

web.xml sitemesh, .

<filter>
    <filter-name>CORSFilter</filter-name>
    <filter-class>com.blah.CorsFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>CORSFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>


class CorsFilter implements Filter {
    public void init(FilterConfig fConfig) throws ServletException { }

    public void destroy() { }

    public void doFilter(
            ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        ((HttpServletResponse) response).addHeader(
                "Access-Control-Allow-Origin", "*"
        )
        chain.doFilter(request, response)
    }
}
+2

. , .

response.setHeader('Access-Control-Allow-Origin', request.getHeader("Origin"))
response.setHeader('Access-Control-Allow-Methods', 'POST, PUT, GET, OPTIONS, PATCH')
response.setHeader('Access-Control-Allow-Headers', 'X-Additional-Headers-Example')
response.setHeader('Access-Control-Allow-Credentials', 'true')
response.setHeader('Access-Control-Max-Age', '1728000')
+1

Access-Control-Allow-Originshould contain the exact domain name (by the way, for some browsers '*'), jsbin.comin your case.

0
source

More articles:


All Articles